#!/bin/bash

BITS=2048
#ECCURVE=secp256k1
ECCURVE=prime256v1
# RSA
CRYPTO=rsa:$BITS
#CRYPTO=dsa:dsaparam.pem # DSS certificates
#CRYPTO=ec:ecparam.pem # ECDSA certificates

DIGEST=-sha256

# Only RSA can also be used for key exchange, so if using DSS/ECDSA need EDH,ECDH,SRP etc.

EXPIRY=365

# Generate parameters for various algorithms
openssl dsaparam -out dsaparam.pem $BITS
openssl ecparam -out ecparam.pem -name $ECCURVE
openssl dhparam -out dhparam.pem -5 512

# Create a self-signed root CA cert
openssl req -x509 -batch -subj '/C=GB/O=TEST ROOT/' -nodes -days $EXPIRY -newkey $CRYPTO $DIGEST -keyout rootkey.pem -out root.pem

### Server ###

# Create a request for second level CA certificate
openssl req -batch -subj '/C=GB/O=TEST CA/' -nodes -newkey $CRYPTO $DIGEST -keyout cakey.pem -out careq.pem
# and sign the request with the appropriate extensions
openssl x509 -req -CA root.pem -CAkey rootkey.pem -CAcreateserial $DIGEST -days $EXPIRY -in careq.pem -out ca.pem -extfile extfile.txt

# Create a request for server certificate
openssl req -batch -subj '/C=GB/O=TEST SERVER/CN=testserver' -nodes -newkey $CRYPTO $DIGEST -keyout serverkey.pem -out serverreq.pem
# and sign the request
openssl x509 -req -CA ca.pem -CAkey cakey.pem -CAcreateserial $DIGEST -days $EXPIRY -in serverreq.pem -out servercert.pem -extfile ocsp.txt
# include in server cert chain
cat servercert.pem > serverchain.pem

# Trusted CAs for server
cat root.pem > servercas.pem

# So the server can send a complete chain, we must _either_ include
# the intermediate CA in the set of trusted CAs _or_ explicitly
# include it in the certificate chain.
#cat ca.pem >> servercas.pem
cat ca.pem >> serverchain.pem

### Client ###

#CRYPTO=rsa:1024

# Create a request for another second level CA certificate
openssl req -batch -subj '/C=GB/O=TEST CA 2/' -nodes -newkey $CRYPTO $DIGEST -keyout ca2key.pem -out ca2req.pem
# and sign the request with the appropriate extensions
openssl x509 -req -CA root.pem -CAkey rootkey.pem -CAcreateserial $DIGEST -days $EXPIRY -in ca2req.pem -out ca2.pem -extfile extfile.txt

# Create a request for client certificate
openssl req -batch -subj '/C=GB/O=TEST CLIENT/' -nodes -newkey $CRYPTO $DIGEST -keyout clientkey.pem -out clientreq.pem
# and sign the request 
openssl x509 -req -CA ca2.pem -CAkey ca2key.pem -CAcreateserial $DIGEST -days $EXPIRY -in clientreq.pem -out clientcert.pem

# Trusted CAs for client
cat root.pem > clientcas.pem

# We must _either_ include the intermediate CA in the set of trusted CAs
# _or_ explicitly include it in the certificate chain.
# or we can also make a directory of trusted certificates

#cat ca2.pem >> clientcas.pem
#cat ca2.pem >> clientcert.pem

{
    mkdir -p clientcerts
    cd clientcerts
    rm -f *
    certs='root.pem ca2.pem'
    for i in $certs; 
    do
	ln -s -f ../$i $(openssl x509 -noout -hash -in ../$i).0;
    done
}

# Show the results
#openssl req -text -in serverreq.pem
#openssl x509 -text -in servercert.pem
